Hoare Logic and Model Checking
|
|
- Allan Campbell
- 6 years ago
- Views:
Transcription
1 Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft
2 Introduction In the previous lecture we saw the informal concepts that Separation Logic is based on. This lecture will introduce a formal proof system for Separation logic present examples to illustrate the power of Separation logic The lecture will be focused on partial correctness. 1
3 A proof system for Separation logic
4 Separation Logic Separation logic inherits all the partial correctness rules from Hoare logic that you have already seen and extends them with the frame rule rules for each new heap-primitive Some of the derived rules for plain Hoare logic no longer hold for separation logic (e.g., the rule of constancy). 2
5 The frame rule The frame rule expresses that Separation logic triples always preserve any resources disjoint from the precondition. {P} C {Q} mod(c) FV (R) = {P R} C {Q R} The second hypothesis ensures that the frame R does not refer to any program variables modified by the command C. 3
6 The heap assignment rule Separation logic triples must assert ownership of any heap-cells modified by the command. The heap assignment axiom thus asserts ownership of the heap location being assigned. {E 1 } [E 1 ] := E 2 {E 1 E 2 } Here we use E 1 as shorthand for v. E 1 v. 4
7 The heap dereference rule Separation logic triples must ensure the command does not fault. The heap dereference rule thus asserts ownership of the given heap location to ensure the location is allocated in the heap. {E v X = x} X := [E] {E[x/X ] v X = v} Here the auxiliary variable x is used to refer to the initial value of X in the postcondition. 5
8 Separation logic The assignment rule introduces a new points-to assertion for each newly allocated location: {X = x} X := cons(e 1,..., E n ) {X E 1 [x/x ],..., E n [x/x ]} The deallocation rule destroys the points-to assertion for the location to be deallocated: {E } dispose(e) {emp} 6
9 Swap example To illustrate these rules, consider the following code-snippet: C swap A := [X ]; B := [Y ]; [X ] := B; [Y ] := A; We want to show that it swaps the values in the locations referenced by X and Y, when X and Y do not alias: {X v 1 Y v 2 } C swap {X v 2 Y v 1 } 7
10 Swap example Below is a proof-outline of the main steps: {X v 1 Y v 2 } A := [X ]; {X v 1 Y v 2 A = v 1 } B := [Y ]; {X v 1 Y v 2 A = v 1 B = v 2 } [X ] := B; {X B Y v 2 A = v 1 B = v 2 } [Y ] := A; {X B Y A A = v 1 B = v 2 } {X v 2 Y v 1 } 8
11 Swap example To prove this first triple, we use the heap-dereference rule to derive: {X v 1 A = a} A := [X ] {X [a/a] v 1 A = v 1 } Then we existentially quantify the auxiliary variable a: { a. X v 1 A = a} A := [X ] { a. X [a/a] v 1 A = v 1 } Applying the rule-of-consequence we obtain: {X v 1 } A := [X ] {X v 1 A = v 1 } Since A := [X ] does not modify Y we can frame on Y v 2 : {X v 1 Y v 2 } A := [X ] {(X v 1 A = v 1 ) Y v 2 } Lastly, by the rule-of-consequence we obtain: {X v 1 Y v 2 } A := [X ] {X v 1 Y v 2 A = v 1 } 9
12 Swap example For the last application of consequence, we need to show that: (X v 1 A = v 1 ) Y v 2 X v 1 Y v 2 A = v 1 To prove this we need proof rules for the new separation logic primitives. 10
13 Separation logic assertions Separation conjunction is commutative and associative operator with emp as a neutral element: P Q Q P (P Q) R P (Q R) P emp P Separation conjunction is monotone with respect to implication: P 1 Q 1 P 2 Q 2 P 1 P 2 Q 1 Q 2 11
14 Separation logic assertions Separating conjunction distributes over disjunction and semi-distributes over conjunction: (P Q) R (P R) (Q R) (P Q) R (P R) (Q R) Taking R X 1 Y 1, P X 1 and Q X 1 yields a counterexample to distributivity over conjunction in the other direction: = (P R) (Q R) (P Q) R 12
15 Separation logic assertions An assertion is pure if it does not contain emp, or. Separation conjunction and conjunction collapses for pure assertions: P Q P Q P Q P Q (P Q) R P (Q R) when P or Q is pure when P and Q are pure when P is pure 13
16 Verifying abstract data types
17 Verifying ADTs Separation Logic is very well-suited for specifying and reasoning about data structures typically found in standard libraries such as lists, queues, stacks, etc. To illustrate we will specify and verify a library for working with linked lists in Separation Logic. 14
18 A linked list library First we need to define a memory representation for our linked lists. We will use a singly-linked list, starting from some designated head variable that refers to the first element of the list and terminating with a null-pointer. For instance, we will represent a list containing the values 12, 99 and 37 as follows head
19 Representation predicates To formalise the memory representation, Separation Logic uses representation predicates that relate an abstract description of the state of the data structure with its memory representations. For our example, we want a predicate list(head, α) that relates a mathematical list, α, with its memory representation. To define such a predicate formally, we need to extend the assertion logic to reason about mathematical lists, support for predicates and inductive definitions. We will elide these details. 16
20 Representation predicates We are going to define the list(head, α) predicate by induction on the list α. We need to consider two cases: the empty list and an element x appended to a list β. An empty list is represented as a null-pointer list(head, []) = def head = null The list x :: β is represented by a reference to two consecutive heap-cells that contain the value x and a representation of the rest of the list, respectively list(head, x :: β) = def y. head x (head + 1) y list(y, β) 17
21 Representation predicates The representation predicate allows us to specify the behaviour of the list operations by their effect on the abstract state of the list Imagine C push is an implementation of an push operation that pushes the value stored in variable X to the front of the list referenced by variable HEAD and stores a reference to the new list in HEAD We can specify this operation in terms of its behaviour on the abstract state of the list as follows {list(head, α) X = x} C add {list(head, x :: α)} 18
22 Representation predicates We can specify all the operations of the library in a similar manner {emp} C new {list(head, [])} {list(head, α) X = x} C push {list(head, x :: α)} {list(head, x :: α)} C pop {list(head, α) RET = x} {list(head, [])} C pop {list(head, []) RET = null} {list(head, α)} C delete {emp} 19
23 Implementation of push The push operation stores the HEAD pointer pointer into a temporary variable Y before allocating two consecutive heap-cells for the new list element and updating HEAP: C push Y := HEAD; HEAD := cons(x, Y ) We wish to prove it satisfies the following specification: {list(head, α) X = x} C push {list(head, x :: α)} 20
24 Proof outline for push Here is a proof outline for the push operation. {list(head, α) X = x} Y := HEAD {list(y, α) X = x} HEAD := cons(x, Y ) {list(y, α) HEAD X, Y X = x} {list(head, X :: α) X = x} {list(head, x :: α)} For the cons step we frame off list(y, α) X = x. 21
25 Implementation of delete The delete operation iterates down over the list, deallocating nodes until it reaches the end of the list. C delete X := HEAD; while X NULL do Y := [X + 1]; dispose(x ); dispose(x + 1); X := Y To prove that delete satisfies its intended specification, {list(head, α)} C delete {emp} we need a suitable invariant: that we own the rest of the list. 22
26 Proof outline for delete {list(head, α)} X := HEAD; {list(x, α)} { α. list(x, α)} while X NULL do { α. list(x, α) X NULL} (Y := [X + 1]; dispose(x ); dispose(x + 1); X := Y ) { α. list(x, α)} {list(x, α) (X NULL)} {emp} 23
27 Proof outline for loop-body of delete To verify the loop-body we need a lemma to unfold the list representation predicate in the non-null case: { α. list(x, α) X NULL} { v, t, α. X v, t list(t, α)} Y := [X + 1]; { v, α. X v, Y list(y, α)} dispose(x ); dispose(x + 1); { α. list(y, α)} X := Y { α. list(x, α)} 24
28 Concurrency (not examinable)
29 Concurrency Imagine extending our WHILE p language with a parallel composition construct, C 1 C 2, which executes the two statements C 1 and C 2 in parallel. The statement C 1 C 2 reduces by interleaving execution steps of C 1 and C 2, until both have terminated, before continuing program execution. For instance, (X := 0 X := 1); print(x ) will randomly print 0 or 1. 25
30 Concurrency Adding parallelism complicates reasoning by introducing the possibility of concurrent interference on shared state. While separation logic does extend to reason about general concurrent interference, we will focus on two common idioms of concurrent programming with limited forms of interference: disjoint concurrency well-synchronised shared state 26
31 Disjoint concurrency Disjoint concurrency refers to multiple commands potentially executing in parallel but all working on disjoint state. Parallel implementations of divide-and-conquer algorithms can often be expressed using disjoint concurrency. For instance, in a parallel merge sort the recursive calls to merge sort operate on disjoint parts of the underlying array. 27
32 Disjoint concurrency The proof rule for disjoint concurrency requires us to split our resources into two disjoint parts, P 1 and P 2, and give each parallel command ownership of one of them. {P 1 } C 1 {Q 1 } {P 2 } C 2 {Q 2 } mod(c 1 ) FV (P 2, Q 2 ) = mod(c 2 ) FV (P 1, Q 1 ) = {P 1 P 2 } C 1 C 2 {Q 1 Q 2 } The third hypothesis ensures C 1 does not modify any program variables used in the specification of C 2 and vice versa. 28
33 Disjoint concurrency example Here is a simple example to illustrate two parallel increment operations that operate on disjoint parts of the heap: {X 3 Y 4} {X 3} {Y 4} A := [X ]; [X ] := A + 1 B := [Y ]; [Y ] := B + 1 {X 4} {Y 5} {X 4 Y 5} 29
34 Well-synchronised shared state Well-synchronised shared state refers to the common concurrency idiom of using locks to ensure exclusive access to state shared between multiple threads. To reason about locking, Concurrent Separation Logic extends separation logic with lock invariants that describe the resources protected by locks. When acquiring a lock, the acquiring thread takes ownership of the lock invariant and when releasing the lock, must give back ownership of the lock invariant. 30
35 Well-synchronised shared state To illustrate, consider a simplified setting with a single global lock. We write I {P} C {Q} to indicate that we can derive the given triple assuming the lock invariant is I. I {emp} acquire {I locked} I {I locked} release {emp} where I is not allowed to refer to any program variables. The locked resource ensures the lock can only be released by the thread that currently has the lock. 31
36 Well-synchronised shared state example To illustrate, consider a program with two threads that both access a number stored in shared heap cell at location x in parallel. Thread A increments the number by 2 and thread B multiplies the number by 10. The threads use a lock to ensure their accesses are well-synchronised. Assuming x initially contains an even number, we wish to prove that x is still even after the two parallel threads have terminated. 32
37 Well-synchronised shared state example First, we need to define a lock invariant. The lock invariant needs to own the shared heap cell at location x and should express that it always contains an even number: I = def v. x v even(v) 33
38 ... Assuming the lock invariant I is v. x v even(v), we have: {X = x emp} {X = x emp} {X = x emp} acquire; acquire; {X = x I locked} {X = x I locked} A := [X ]; [X ] := A + 2; B := [X ]; [X ] := B 10; {X = x I locked} {X = x I locked} release; release; {X = x emp} {X = x emp} {X = x emp} 34
39 Summary Abstract data types are specified using representation predicates which relate an abstract model of the state of the data structure with a concrete memory representation. Separation logic supports reasoning about well-synchronised concurrent programs, using lock invariants to guard access to shared state. Suggested reading: Peter O Hearn. Resources, Concurrency and Local Reasoning. 35
Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationIntegrating Arrays into the Heap-Hop program prover
Integrating Arrays into the Heap-Hop program prover Ioana Cristescu under the supervision of Jules Villard Queen Mary University of London 7 September 2011 1 / 29 Program verification using Heap-Hop Program
More informationCompilation and Program Analysis (#11) : Hoare triples and shape analysis
Compilation and Program Analysis (#11) : Hoare triples and shape analysis Laure Gonnord http://laure.gonnord.org/pro/teaching/capm1.html Laure.Gonnord@ens-lyon.fr Master 1, ENS de Lyon dec 2017 Inspiration
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationPrecision and the Conjunction Rule in Concurrent Separation Logic
Precision and the Conjunction Rule in Concurrent Separation Logic Alexey Gotsman a Josh Berdine b Byron Cook b,c a IMDEA Software Institute b Microsoft Research c Queen Mary University of London Abstract
More informationPLSV, Mock Test, 2011
PLSV, Mock Test, 2011 Question 1 The lseg predicate describes a segment of a singly-linked list. It is defined to be the least predicate satisfying the following equation: lseg(e, F ) (E = F emp) (E F
More informationSeparation Logic: syntax, semantics and calculus
Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables
More informationBI as an Assertion Language for Mutable Data Structures
BI as an Assertion Language for Mutable Data Structures Samin Ishtiaq Peter W. O Hearn Queen Mary & Westfield College, London ABSTRACT Reynolds has developed a logic for reasoning about mutable data structures
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationLecture Notes: Hoare Logic
Lecture Notes: Hoare Logic 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich (jonathan.aldrich@cs.cmu.edu) Lecture 3 1 Hoare Logic The goal of Hoare logic is to provide a formal system for
More informationCompositional Resource Invariant Synthesis
Compositional Resource Invariant Synthesis Cristiano Calcagno 1, Dino Distefano 2, and Viktor Vafeiadis 3 1 Imperial College 2 Queen Mary University of London 3 Microsoft Research, Cambridge Abstract.
More informationJoins: A Case Study in Modular Specification of a Concurrent Reentrant Higher-order Library
Joins: A Case Study in Modular Specification of a Concurrent Reentrant Higher-order Library Kasper Svendsen 1, Lars Birkedal 1, and Matthew Parkinson 2 1 IT University of Copenhagen, {kasv,birkedal}@itu.dk
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationAutomating Separation Logic for Concurrent C Minor
Automating Separation Logic for Concurrent C Minor William Mansky Princeton University, May 23, 2008 Abstract In this paper, I demonstrate the implementation of several tools for program analysis in a
More informationSeparation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016
Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1 Motivation: Reasoning About Pointers Recall this
More informationWarm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)
Warm-Up Problem 1 What is the definition of a Hoare triple satisfying partial correctness? 2 Recall the rule for assignment: x (assignment) Why is this the correct rule and not the following rule? x (assignment)
More informationBi-Abductive Resource Invariant Synthesis
Bi-Abductive Resource Invariant Synthesis Cristiano Calcagno 1, Dino Distefano 2, and Viktor Vafeiadis 3 1 Imperial College 2 Queen Mary University of London 3 Microsoft Research, Cambridge Abstract. We
More informationThe theory of Mezzo. François Pottier. IHP, April 2014 INRIA
The theory of Mezzo François Pottier INRIA IHP, April 2014 1 / 94 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin. 2 / 94 Outline Introduction The
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationModular Reasoning about Separation of Concurrent Data Structures
Modular Reasoning about Separation of Concurrent Data Structures Kasper Svendsen 1, Lars Birkedal 1, and Matthew Parkinson 2 1 T University of Copenhagen, {kasv,birkedal}@itu.dk 2 Microsoft Research Cambridge,
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationA Proposal for Weak-Memory Local Reasoning
A Proposal for Weak-Memory Local Reasoning Ian Wehrman and Josh Berdine Abstract Program logics are formal systems for specifying and reasoning about software programs. Most program logics make the strong
More informationA Shape Graph Logic and A Shape System
Li ZP, Zhang Y, Chen YY. A shape graph logic and a shape system. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 28(6): 1????? Nov. 2013. DOI 10.1007/s11390-013-1398-1 A Shape Graph Logic and A Shape System
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationShared Variables and Interference
Illinois Institute of Technology Lecture 24 Shared Variables and Interference CS 536: Science of Programming, Spring 2018 A. Why Parallel programs can coordinate their work using shared variables, but
More informationType Soundness and Race Freedom for Mezzo
Type Soundness and Race Freedom for Mezzo Thibaut Balabonski François Pottier Jonathan Protzenko INRIA FLOPS 2014 1 / 42 Mezzo in a few words Mezzo is a high-level programming language, equipped with:
More informationConcurrent library abstraction without information hiding
Universidad Politécnica de Madrid Escuela técnica superior de ingenieros informáticos Concurrent library abstraction without information hiding Artem Khyzha Advised by Manuel Carro and Alexey Gotsman Madrid
More informationPlan of the lecture. Quick-Sort. Partition of lists (or using extra workspace) Quick-Sort ( 10.2) Quick-Sort Tree. Partitioning arrays
Plan of the lecture Quick-sort Lower bounds on comparison sorting Correctness of programs (loop invariants) Quick-Sort 7 4 9 6 2 2 4 6 7 9 4 2 2 4 7 9 7 9 2 2 9 9 Lecture 16 1 Lecture 16 2 Quick-Sort (
More information5 Exercise Formal Specification winter term 2010/11
5 Exercise Formal Specification winter term 2010/11 Dipl.-Wirt.-Inf. Ulrich Wolffgang Department of Information Systems, University of Münster January 12, 2011 Agenda Exercise 12 Exercise 13 Next exercise
More informationDATA STRUCTURES AND ALGORITHMS
DATA STRUCTURES AND ALGORITHMS For COMPUTER SCIENCE DATA STRUCTURES &. ALGORITHMS SYLLABUS Programming and Data Structures: Programming in C. Recursion. Arrays, stacks, queues, linked lists, trees, binary
More informationVerifying Concurrent Programs with VST
Verifying Concurrent Programs with VST William Mansky 1 Introduction As of version 2.1, VST includes support for verifying concurrent programs with userdefined ghost state, as in modern concurrent separation
More informationGetting Started with AutoCorres
Getting Started with AutoCorres Japheth Lim Rohan Jacob-Rao David Greenaway September 10, 2018 Contents 1 Introduction 2 2 A First Proof with AutoCorres 2 2.1 Two simple functions: min and max...............
More informationA Separation Logic for Fictional Sequential Consistency
A Separation Logic for Fictional Sequential Consistency Filip Sieczkowski 1, Kasper Svendsen 1, Lars Birkedal 1, and Jean Pichon-Pharabod 2 1 Aarhus University {filips, ksvendsen, birkedal}@cs.au.dk 2
More informationAn Overview of Separation Logic
An Overview of Separation Logic John C. Reynolds Computer Science Department Carnegie Mellon University john.reynolds@cs.cmu.edu Abstract. After some general remarks about program verification, we introduce
More informationDenotational Semantics of a Simple Imperative Language Using Intensional Logic
Denotational Semantics of a Simple Imperative Language Using Intensional Logic Marc Bender bendermm@mcmaster.ca CAS 706 - Programming Languages Instructor: Dr. Jacques Carette Dept. of Computing and Software
More informationLecture Notes on Queues
Lecture Notes on Queues 15-122: Principles of Imperative Computation Frank Pfenning and Jamie Morgenstern Lecture 9 February 14, 2012 1 Introduction In this lecture we introduce queues as a data structure
More informationLecture Notes on Memory Layout
Lecture Notes on Memory Layout 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 11 1 Introduction In order to understand how programs work, we can consider the functions,
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Spring 2016) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationShared Variables and Interference
Solved Shared Variables and Interference CS 536: Science of Programming, Fall 2018 A. Why Parallel programs can coordinate their work using shared variables, but it s important for threads to not interfere
More informationOutline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include
Outline Computer Science 331 Correctness of Algorithms Mike Jacobson Department of Computer Science University of Calgary Lectures #2-4 1 What is a? Applications 2 Recursive Algorithms 3 Final Notes Additional
More informationMathematical Induction
Mathematical Induction Victor Adamchik Fall of 2005 Lecture 3 (out of three) Plan 1. Recursive Definitions 2. Recursively Defined Sets 3. Program Correctness Recursive Definitions Sometimes it is easier
More informationShape-Value Abstraction for Verifying Linearizability
Shape-Value Abstraction for Verifying Linearizability Viktor Vafeiadis Microsoft Research, Cambridge, UK Abstract. This paper presents a novel abstraction for heap-allocated data structures that keeps
More informationHiding local state in direct style: a higher-order anti-frame rule
1 / 65 Hiding local state in direct style: a higher-order anti-frame rule François Pottier January 28th, 2008 2 / 65 Contents Introduction Basics of the type system A higher-order anti-frame rule Applications
More informationSeparation Logic Tutorial
Separation Logic Tutorial (To appear in Proceedings of ICLP 08) Peter O Hearn Queen Mary, University of London Separation logic is an extension of Hoare s logic for reasoning about programs that manipulate
More informationEncoding Separation Logic in Coq and Its Application
Encoding Separation Logic in Coq and Its Application Renald Affeldt AIST-RCIS Nicolas Marti Universit of Toko Research Project Verification of low-level software: Specialized operating sstems Device drivers
More informationTaDA: A Logic for Time and Data Abstraction
TaD: Logic for Time and Data bstraction Pedro da Rocha Pinto 1, Thomas Dinsdale-Young 2, and Philippa Gardner 1 1 Imperial College London pmd09,pg@doc.ic.ac.uk 2 arhus University tyoung@cs.au.dk bstract.
More informationProgram Verification. Program Verification 307/434
Program Verification Program Verification 307/434 Outline Introduction: What and Why? Pre- and Postconditions Conditionals while-loops and Total Correctness Arrays Program Verification Introduction 308/434
More informationCS 270 Algorithms. Oliver Kullmann. Binary search. Lists. Background: Pointers. Trees. Implementing rooted trees. Tutorial
Week 7 General remarks Arrays, lists, pointers and 1 2 3 We conclude elementary data structures by discussing and implementing arrays, lists, and trees. Background information on pointers is provided (for
More informationFrom Event-B Models to Dafny Code Contracts
From Event-B Models to Dafny Code Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh Electronic and Computer Science School, University of Southampton Southampton, United Kingdom {md5g11,mjb,ra3}@ecs.soton.ac.uk
More information1 P age DS & OOPS / UNIT II
UNIT II Stacks: Definition operations - applications of stack. Queues: Definition - operations Priority queues - De que Applications of queue. Linked List: Singly Linked List, Doubly Linked List, Circular
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationSolutions to Problem Set 1
CSCI-GA.3520-001 Honors Analysis of Algorithms Solutions to Problem Set 1 Problem 1 An O(n) algorithm that finds the kth integer in an array a = (a 1,..., a n ) of n distinct integers. Basic Idea Using
More informationCSE 20 DISCRETE MATH. Winter
CSE 20 DISCRETE MATH Winter 2017 http://cseweb.ucsd.edu/classes/wi17/cse20-ab/ Final exam The final exam is Saturday March 18 8am-11am. Lecture A will take the exam in GH 242 Lecture B will take the exam
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationVariable Side Conditions and Greatest Relations in Algebraic Separation Logic
Variable Side Conditions and Greatest Relations in Algebraic Separation Logic Han-Hing Dang and Peter Höfner Institut für Informatik, Universität Augsburg, D-86159 Augsburg, Germany {h.dang,hoefner}@informatik.uni-augsburg.de
More informationimplementing the breadth-first search algorithm implementing the depth-first search algorithm
Graph Traversals 1 Graph Traversals representing graphs adjacency matrices and adjacency lists 2 Implementing the Breadth-First and Depth-First Search Algorithms implementing the breadth-first search algorithm
More informationOutline. Computer Science 331. Three Classical Algorithms. The Sorting Problem. Classical Sorting Algorithms. Mike Jacobson. Description Analysis
Outline Computer Science 331 Classical Sorting Algorithms Mike Jacobson Department of Computer Science University of Calgary Lecture #22 1 Introduction 2 3 4 5 Comparisons Mike Jacobson (University of
More informationReminder from last time
Concurrent systems Lecture 5: Concurrency without shared data, composite operations and transactions, and serialisability DrRobert N. M. Watson 1 Reminder from last time Liveness properties Deadlock (requirements;
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationCS301 - Data Structures Glossary By
CS301 - Data Structures Glossary By Abstract Data Type : A set of data values and associated operations that are precisely specified independent of any particular implementation. Also known as ADT Algorithm
More informationNon-blocking Array-based Algorithms for Stacks and Queues!
Non-blocking Array-based Algorithms for Stacks and Queues! Niloufar Shafiei! Department of Computer Science and Engineering York University ICDCN 09 Outline! Introduction! Stack algorithm! Queue algorithm!
More informationCOMP250: Loop invariants
COMP250: Loop invariants Jérôme Waldispühl School of Computer Science McGill University Based on (CRLS, 2009) & slides from (Sora,2015) Algorithm specification An algorithm is described by: Input data
More informationLecture 18 Restoring Invariants
Lecture 18 Restoring Invariants 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In this lecture we will implement heaps and operations on them. The theme of this lecture is reasoning
More informationLocal Reasoning for Storable Locks and Threads
Local Reasoning for Storable Locks and Threads Alexey Gotsman 1, Josh Berdine 2, Byron Cook 2, Noam Rinetzky 3, and Mooly Sagiv 2,3 1 University of Cambridge 2 Microsoft Research 3 Tel-Aviv University
More informationAbstract Local Reasoning for Concurrent Libraries: Mind the Gap
MFPS 2014 Abstract Local Reasoning for Concurrent Libraries: Mind the Gap Philippa Gardner, Azalea Raad, Mark Wheelhouse, Adam Wright 1 Department of Computing, Imperial College London, UK Abstract We
More informationRecursion and Induction
Recursion and Induction Paul S. Miner NASA Langley Formal Methods Group p.s.miner@nasa.gov 28 November 2007 Outline Recursive definitions in PVS Simple inductive proofs Automated proofs by induction More
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions
More informationSeparation and Information Hiding
Separation and Information Hiding Peter W. O Hearn Queen Mary University of London Hongseok Yang Seoul National University John C. Reynolds Carnegie Mellon University Abstract We investigate proof rules
More informationCIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)
By the end of this course, students should CIS 1.5 Course Objectives a. Understand the concept of a program (i.e., a computer following a series of instructions) b. Understand the concept of a variable
More informationProblem Sheet 1: Axiomatic Semantics
Problem Sheet 1: Axiomatic Semantics Chris Poskitt ETH Zürich Starred exercises ( ) are more challenging than the others. 1 Partial and Total Correctness Recall the Hoare triple from lectures, {pre} P
More informationLindsay Groves, Simon Doherty. Mark Moir, Victor Luchangco
Lindsay Groves, Simon Doherty Victoria University of Wellington Mark Moir, Victor Luchangco Sun Microsystems, Boston (FORTE, Madrid, September, 2004) Lock-based concurrency doesn t scale Lock-free/non-blocking
More informationHOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1
LAST TIME ON HOL Proof rules for propositional and predicate logic Safe and unsafe rules NICTA Advanced Course Forward Proof Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 The Epsilon
More informationLecture 10 Linked Lists
Lecture 10 Linked Lists 15-122: Principles of Imperative Computation (Spring 2017) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to implement
More informationFine-grain concurrency
Communicating Process Architectures 2007 All the editors (Eds.) IOS Press, 2007 1 Fine-grain concurrency Tony Hoare Microsoft Research, Cambridge Abstract. I have been interested in concurrent programming
More informationLecture 3: Art Gallery Problems and Polygon Triangulation
EECS 396/496: Computational Geometry Fall 2017 Lecture 3: Art Gallery Problems and Polygon Triangulation Lecturer: Huck Bennett In this lecture, we study the problem of guarding an art gallery (specified
More informationBlaming the client: on data refinement in the presence of pointers
Blaming the client: on data refinement in the presence of pointers Ivana Filipović, Peter O Hearn, Noah Torp-Smith, Hongseok Yang To cite this version: Ivana Filipović, Peter O Hearn, Noah Torp-Smith,
More informationNON-BLOCKING DATA STRUCTURES AND TRANSACTIONAL MEMORY. Tim Harris, 31 October 2012
NON-BLOCKING DATA STRUCTURES AND TRANSACTIONAL MEMORY Tim Harris, 31 October 2012 Lecture 6 Linearizability Lock-free progress properties Queues Reducing contention Explicit memory management Linearizability
More informationRuntime Checking and Test Case Generation for Python
Runtime Checking and Test Case Generation for Python Anna Durrer Master Thesis Chair of Programming Methodology D-INFK ETH Supervisor: Marco Eilers, Prof. Peter Müller 24. Mai 2017 1 Introduction This
More informationA Grainless Semantics for Parallel Programs with Shared Mutable Data
MFPS XX1 Preliminary Version A Grainless Semantics for Parallel Programs with Shared Mutable Data Stephen Brookes Department of Computer Science Carnegie Mellon University Pittsburgh, USA Abstract We provide
More informationReasoning about the C/C++ weak memory model
Reasoning about the C/C++ weak memory model Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 13 October 2014 Talk outline I. Introduction Weak memory models The C11 concurrency model
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationCSE 20 DISCRETE MATH. Fall
CSE 20 DISCRETE MATH Fall 2017 http://cseweb.ucsd.edu/classes/fa17/cse20-ab/ Final exam The final exam is Saturday December 16 11:30am-2:30pm. Lecture A will take the exam in Lecture B will take the exam
More informationObjects Managing a Resource
Objects Managing a Resource 1 What is a Resource Respects Release/Acquire protocol files (open/close) memory allocation (allocate/free) locks (acquire/release). 2 What is a Resource Objects when constructed,
More informationLocal Reasoning about a Copying Garbage Collector
Local Reasoning about a Copying Garbage Collector NOAH TORP-SMITH and LARS BIRKEDAL IT University of Copenhagen and JOHN C. REYNOLDS Carnegie Mellon University We present a programming language, model,
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More information